Qubes on a laptop or a desktop: which is more secure?

fiftyfourthparallel · December 8, 2021, 10:37am

One argument I can see for laptops is that they are an integrated unit that doesn’t depend on a host of external devices. For example, they have integrated keyboards, trackpads, and screens. It’s entirely feasible to not have a sys-USB. However, how the idiosyncracies in how components are wired together can lead to passthrough issues or worse (e.g. @alzer89 mentioned that some MacBooks have the keyboard, trackpad, bluetooth, wifi and more on the same bus).

One argument I can see for desktops is that they don’t tend to travel around and are harder to access or steal, and suspect components can be quickly swapped out. Howeber, on top of lacking portability, desktops also require a far wider trust base since components and external devices tend to be from a constellation of manufacturers.

If you were to build the ultimate secure workstation (whatever that means to you), would it be a laptop or a desktop? Why?

necker · December 8, 2021, 11:12am

Let’s assume both are trusted machines…

It seems that a laptop is easier to keep in one’s possession, protect from physical threats, transport and utilize in more contexts for greater tactical advantage and through more networks for greater privacy advantage.

One of the most common threats to privacy is the user accessing the internet from personally associated networks. Desktops are generally anchored to single locations resulting in less network diversification. They are often left unattended and unprotected. Laptops can easily be put in a safe if they need to be left unattended.

If the user can only choose desktop or laptop for a computer, the desktop user will likely be using a mobile device on the road which tend to be less secure than a computer running Qubes - so the laptop user would be less inconvenienced making more secure choices on the road.

To be fair, the desktop has greater potential for hardware compartmentalization… separate controllers for various devices instead of many things being controlled by just a few PCI controllers. Not to mention a greater selection of components that are more robust, with better specs.

But I think the laptop wins by a pretty large margin.

fiftyfourthparallel · December 8, 2021, 11:43am

Are there any use-cases or threat models in which desktops win by a large margin?

necker · December 8, 2021, 12:21pm

I was just thinking about that.

Maybe a server? Situations that require the most robust builds with processor speed, large amounts of RAM and drive space, etc. Something capable of storing and serving large amounts of data, running resource intensive software and/or managing high end surveillance systems & smoothly scrubbing through 4k video feeds. Something secured in a vaulted safe room with Tempest rated infrastructure and shielded network and power lines. A room with exotic firearms mounted on the walls and extremely beautiful women with advanced degrees from MIT assisting with day to day operations. Something like that.

necker · December 8, 2021, 12:58pm

I hope my humor is appreciated… I suppose there could be room for misinterpreting me.

fiftyfourthparallel · December 8, 2021, 1:45pm

I don’t understand how you can consider a room secure without sharks with frickin’ lasers attached to their heads.

download

On a slightly more serious note, you might be interested in the specifications for a SCIF. Apparently the president goes around with a tent SCIF–I’d love to get my hands on one of those.

necker · December 8, 2021, 1:53pm

Get_Smart-Cone-of-silence

Sven · December 8, 2021, 5:19pm

The “ultimate secure workstation” would be one that has only open components, is fully auditable and has physical and logical tamper detection. That machines doesn’t exist unfortunately.

So we have to work with approximations. First we need a disabled ME, and established root of trust. In other words: heads. That in turn shrinks our options down to a very small number of boards, unless you have the time and energy to port heads. It can be done as the heads community demonstrates.

Before this pandemic my job required frequent travel (~50% of the time), but it is clear now these times never come back: good riddance! I for one won’t miss all the lifetime wasted in airports, rental cars, restaurants and hotels. It sounds cool to some, but it get’s old really fast. So a desktop would be a real possibility.

In this context I have high hopes for Qubes AIR. Not to use it over the internet with hardware owned by someone else, but as a local cluster of trusted (probably older) machines. Imagine a rack of 4 or more T430’s connected to each other via Ethernet. … that would be 64 GB of RAM, 16 cores while not compromising on the root of trust.

That’s not a laptop anymore, but also not a desktop. It would be a cluster. I can’t wait.

fsflover · December 8, 2021, 6:33pm

How about this one? Cannot run Qubes, but I guess it goes in the right direction?

alzer89 · December 9, 2021, 1:09am

It is definitely appreciated.

alzer89 · December 9, 2021, 1:11am

That sounds like Google’s headquarters in Turkmenistan.

I hope my humour is appreciated too.

fiftyfourthparallel · December 9, 2021, 1:34am

A post was merged into an existing topic: What would ideal hardware for Qubes look like?

fiftyfourthparallel · December 9, 2021, 1:21am

Already did it:

fsflover · December 9, 2021, 9:21am

You can quote though:

alzer89 wrote:

What would ideal hardware for Qubes look like?

I also agree with all of @Sven’s points, with a few of my own:

Laptop

The internal keyboard and trackpad must be on its own bus

all other internal peripherals should either be on their own dedicated bus, or at the very least grouped by function/purpose

integrated graphics AND discrete GPU (possibly multiple GPUs, for passthrough fir gaming, video editing and mining)

Multiple M.2 slots for SSDs

MANY MANY SODIMM slots for RAM for Qubes

Kill-switches for camera

Ports ports and more ports, of all varieties (maybe even interchangeable like the Framework Laptop, allowing more flexibility to port passthrough)

Maybe some kind of “USB Condom” on all USB ports

FOSS-friendly Ethernet (potentially multiple RJ45 ports) and wifi (preferably multiple antennas, for pentesting)

Enough battery life for 3-4 hours of use at full load

4k display (potentially touchscreen)

Rugged enough to “take a beating”, but elegant enough to not look like you’re on an archaeological excavation endeavour

I don’t care if it’s a brick, I’ll still carry it round

Desktop

LOTS of PCI slots

LOTS of separate USB Buses (preferably max two ports per bus, as you can always use adapters to connect more devices)

Maybe some kind of “USB Condom” on all USB ports

FOSS-friendly Ethernet and wifi

FOSS BIOS (ideally Heads or a fork of Heads)

UPS (just in case, even if it’s only a 10-minute battery, just so your machine can shut down properly)

SILENT FANS, or no fans at all! (I’ve done my time in a server room)

Am I missing anything?

Disclaimer: This is a wishlist, and I’m fully aware that all of this in a single machine would be difficult, if not impossible….

fiftyfourthparallel · December 12, 2021, 12:11pm

That works too, thanks.

alzer89 · December 14, 2021, 11:09pm

I’ll continue the rant here.

Unfortunately, as I’ve been discovering recently, quite a lot of “high-end” hardware is incredibly proprietary.

I can already sense a lot of people saying “Really? No sh*t, Sherlock…”, so let me clarify

I’ve recently inherited a fair amount of “gaming” machines (many of which are missing key parts), and I’m in the process of upgrading them in preparation for turning them into servers.

Out of 15 machines, I’ve only so far managed to get 3 to post. As for the rest, troubleshooting is an absolute nightmare.

In other cases, for example, when a dedicated CPU fan is not present, I can’t seem to be able to tell the BIOS to throttle the CPU, so it doesn’t overheat. But I can’t do that without getting the machine to actually post, so it’s a vicious cycle

So, not only is it frustrating to be told by your machines “I’m sorry, Dave, I’m afraid I can’t do that…”, it also makes you wonder what else the BIOS might be doing…

Flashing the BIOS doesn’t appear to be a viable option, unless I want to lose a whole bunch of functionality

It’s like being a manager, and having an employee who’s “untouchable” (maybe the director’s son/daughter or something…), and you know you can’t fire them, even though you so desperately want to…

There’s always a trade-off when you are trying to use a device for a use case it wasn’t specifically designed for…